What does packet latency thresholding measure?
What does packet latency thresholding measure? A. the total elapsed time it takes to process a packet B. the amount of time it takes for a rule to process C.
A one-to-many type of scan, in which an attacker uses a single host to scan a single port on multiple target hosts, indicates which port scan type? A. port scan
Controlling simultaneous connections is a feature of which type of preprocessor? A. rate-based attack prevention B. detection enhancement C. TCP and network layer preprocessors D. performance settings Correct Answer: A
Suppose an administrator is configuring an IPS policy and attempts to enable intrusion rules that require the operation of the TCP stream preprocessor, but the TCP stream preprocessor is turned
Which feature of the preprocessor configuration pages lets you quickly jump to a list of the rules associated with the preprocessor that you are configuring? A. the rule group accordion
Which statement represents detection capabilities of the HTTP preprocessor? A. You can configure it to blacklist known bad web servers. B. You can configure it to normalize cookies in HTTP
Which option is a remediation module that comes with the Sourcefire System? A. Cisco IOS Null Route B. Syslog Route C. Nmap Route Scan D. Response Group Correct Answer: A
Which list identifies the possible types of alerts that the Sourcefire System can generate as notification of events or policy violations? A. logging to database, SMS, SMTP, and SNMP B.
Which statement is true when network traffic meets the criteria specified in a correlation rule? A. Nothing happens, because you cannot assign a group of rules to a correlation policy.
What does the whitelist attribute value “not evaluated” indicate? A. The host is not a target of the whitelist. B. The host could not be evaluated because no profile exists
Which option is a valid whitelist evaluation value? A. pending B. violation C. semi-compliant D. not-evaluated Correct Answer: D
Correlation policy rules allow you to construct criteria for alerting on very specific conditions. Which option is an example of such a rule? A. testing password strength when accessing an
Stacking allows a primary device to utilize which resources of secondary devices? A. interfaces, CPUs, and memory B. CPUs and memory C. interfaces, CPUs, memory, and storage D. interfaces and
Which Sourcefire feature allows you to send traffic directly through the device without inspecting it? A. fast-path rules B. thresholds or suppressions C. blacklist D. automatic application bypass Correct Answer:
The gateway VPN feature supports which deployment types? A. SSL and HTTPS B. PPTP and MPLS C. client and route-based D. point-to-point, star, and mesh Correct Answer: D
Which mechanism should be used to write an IPS rule that focuses on the client or server side of a TCP communication? A. the directional operator in the rule header
Which option describes the two basic components of Sourcefire Snort rules? A. preprocessor configurations to define what to do with packets before the detection engine sees them, and detection engine
When configuring an LDAP authentication object, which server type is available? A. Microsoft Active Directory B. Yahoo C. Oracle D. SMTP Correct Answer: A
Context Explorer can be accessed by a subset of user roles. Which predefined user role is valid for FireSIGHT event access? A. Administrator B. Intrusion Administrator C. Maintenance User D.
Context Explorer can be accessed by a subset of user roles. Which predefined user role is not valid for FireSIGHT event access? A. Administrator B. Intrusion Administrator C. Security Analyst
Which statement describes the meaning of a red health status icon? A. A critical threshold has been exceeded. B. At least one health module has failed. C. A health policy
The collection of health modules and their settings is known as which option? A. appliance policy B. system policy C. correlation policy D. health policy Correct Answer: D
Which event source can have a default workflow configured? A. user events B. discovery events C. server events D. connection events Correct Answer: B
Remote access to the Defense Center database has which characteristic? A. read/write B. read-only C. Postgres D. Estreamer Correct Answer: B
Which statement regarding user exemptions is true? A. Non-administrators can be made exempt on an individual basis. B. Exempt users have a browser session timeout restriction of 24 hours. C.
What is the maximum timeout value for a browser session? A. 60 minutes B. 120 minutes C. 1024 minutes D. 1440 minutes Correct Answer: D
Which policy controls malware blocking configuration? A. file policy B. malware policy C. access control policy D. IPS policy Correct Answer: A
Which statement is true regarding malware blocking over HTTP? A. It can be done only in the download direction. B. It can be done only in the upload direction. C.
A context box opens when you click on an event icon in the Network File Trajectory map for a file. Which option is an element of the box? A. Scan
Which option can you enter in the Search text box to look for the trajectory of a particular file? A. the MD5 hash value of the file B. the SHA-256
Other than navigating to the Network File Trajectory page for a file, which option is an alternative way of accessing the network trajectory of a file? A. from Context Explorer
A user discovery agent can be installed on which platform? A. OpenLDAP B. Windows C. RADIUS D. Ubuntu Correct Answer: B
In addition to the discovery of new hosts, FireSIGHT can also perform which function? A. block traffic B. determine which users are involved in monitored connections C. discover information about
The IP address::/0 is equivalent to which IPv4 address and netmask? A. 0.0.0.0 B. 0.0.0.0/0 C. 0.0.0.0/24 D. The IP address::/0 is not valid IPv6 syntax. Correct Answer: B
Which option is derived from the discovery component of FireSIGHT technology? A. connection event table view B. network profile C. host profile D. authentication objects Correct Answer: C
When configuring FireSIGHT detection, an administrator would create a network discovery policy and set the action to “discover”. Which option is a possible type of discovery? A. host B. IPS
FireSIGHT uses three primary types of detection to understand the environment in which it is deployed. Which option is one of the detection types? A. protocol layer B. application C.
FireSIGHT recommendations appear in which layer of the Policy Layers page? A. Layer Summary B. User Layers C. Built-In Layers D. FireSIGHT recommendations do not show up as a layer.
Which option is used to implement suppression in the Rule Management user interface? A. Rule Category B. Global C. Source D. Protocol Correct Answer: C
When you are editing an intrusion policy, how do you know that you have changes? A. The Commit Changes button is enabled. B. A system message notifies you. C. You
Which option is true of the Packet Information portion of the Packet View screen? A. provides a table view of events B. allows you to download a PCAP formatted file
Which option is not a characteristic of dashboard widgets or Context Explorer? A. Context Explorer is a tool used primarily by analysts looking for trends across varying periods of time.
One of the goals of geolocation is to identify which option? A. the location of any IP address B. the location of a MAC address C. the location of a